Jun 2017 – May 2020 · 2 yrs 11 mos · Colorado Springs, Colorado Area

• I provide technical leadership to a growing and vibrant global team located in Bangalore, India, Bloomington Indiana, Sterling Virginia, and across the United States. Andrew is responsible for providing global Technical Leadership, working with Practice Directors to update and define new services, revamp existing services to be the very definition of industry-leading, work with our clients and internal teams to build custom managed security testing solutions, communicate publicly on important topics, and to ensure that our staff have the best training and opportunities to progress to the next level.

Nov 2014 – Jun 2017 · 2 yrs 7 mos · Australia

• As Chief Technology Officer, I am helping build out Threat Intelligence's portfolio of services, defining agile delivery of modern services that global clients need.
• My background is secure code review and security architecture, so no guesses as to what I do during the day. Whilst we move our clients to be far ahead of the pack by thinking differently about security, we will still be doing penetration testing and vulnerability assessments, but our goal is to create a fundamental shift in the security mindset from reactive and tick box compliance to proactive security that actually reduces the risks from threats. This means working closely with our clients, going on a shared security journey, and measuring progress.
• As we grow, my goal is to make Threat Intelligence the first choice for out of the box thinkers - whether grads through hardened cynics - to want to come work for us, learn from us, and develop their careers as professional security consultants. Too many boutiques and large consulting firms talk the talk during recruitment but then don't follow through. We want a different company culture that respects the unusual qualities that infosec giants possess, and harness those attributes for high performing engagements and high quality deliverables every time for our clients.

Jun 2011 – Nov 2014 · 3 yrs 5 mos · Melbourne, Australia

• Andrew led a growing team of technical specialists within KPMG Australia, performing the sort of highly technical reviews you'd expect from a boutique consultancy, but with the aim of enabling secure business with the global backing of the entire KPMG team.
• I mentored the entire Australian technical security services team, provided useful information and assistance to our global pen test community, and helped recruit the best and brightest to create the future of our industry.
• I designed services to be delivered nationally by the best suited team members to meet our client's needs wherever they are located. The work plans are not secret or the dark arts - it's all documented in the open standards work I participate in at OWASP. The best results flow when we work closely with our clients.
• The results have been nothing short of breathtaking - highly satisfied clients that leads directly to repeat business and word of mouth recommendations. Leading edge research and good recruiting and mentoring begets excellent work begets great security solutions for customers.

Jan 2009 – May 2011 · 2 yrs 4 mos

• At Pure Hacking, I established the world's best security architecture, code review, and agile security program. Some of my wins included:
• Agile Security Development Lifecycle Programs
• Security Architecture
• Security Architecture Reviews
• Secure Code Reviews
• and Penetration Testing
• Andrew moved back to Australia to take up this position.

Nov 2006 – Jan 2009 · 2 yrs 2 mos

• Consult to a wide variety of clients, primarily on web application security issues.
• Conducted code reviews, vulnerability assessments, and risk management and architecture.
• Travelled extensively and trained several hundred developers in the fine art of secure software development.
• Created new training materials for Ajax and Web Services, and updated other training decks.

May 2006 – Nov 2007 · 1 yr 6 mos

• Andrew worked to create the OWASP Board as it stands today. Andrew worked to create transparency and robust organizational processes.

Mar 2006 – Nov 2007 · 1 yr 8 mos

• Andrew was one of the primary forces behind the OWASP Top 10 2007, which defined the evidence based methodology used by the OWASP Top 10 for the next decade. The OWASP Top 10 2007 was incorporated into PCI DSS 1.0, which is the payments industry security standard as section 6.5.

Jan 2002 – Dec 2009 · 7 yrs 11 mos

• Contributor 2002-2004
• Lead Author / Editor of Guide 2.0 (from November 2004 on)
• Currently working on Guide 3.0

Jan 2005 – Nov 2006 · 1 yr 10 mos

• Provide code reviews to many internal clients. Currently working on security architecture for a forthcoming large scale corporate Internet Banking product.

Dec 2004 – Jan 2009 · 4 yrs 1 mo

• Re-writing a secure forum, initially based on XMB Forum's code base, but now has less than 10% of the original code.
• As Security Manager I ensure the code is safe to run in hostile environments, track Bugtraq and develop fixes for known issues
• As this is an open source project conducted in my own time, it's going fairly slowly and may never complete.

Jan 2002 – Jan 2005 · 3 yrs

• Security architecture and design, web application security reviews, threat risk assessments, forensic collection and analysis, and organization policy. Mentoring and training staff.

Jan 2002 – Dec 2004 · 2 yrs 11 mos

• Provided security updates to XMB Forum
• Developer (2003-2004)

Jan 2000 – Jan 2001 · 1 yr

• Lead SAGE-AU.

Nov 1998 – Jan 2002 · 3 yrs 2 mos

• Security architecture and design, web application security reviews, threat risk assessments, firewall and infrastructure design and implementation, and organization policy. Mentoring and training staff.

Jan 1998 – Jan 2001 · 3 yrs

• Security architecture and design, web application security reviews, threat risk assessments, firewall and infrastructure design and implementation, and organization policy. Mentoring and training staff

Jul 1997 – Nov 1998 · 1 yr 4 mos

• Andrew was employed to undertake a transformation of disparate hospital systems across a wide range of previous health care networks, and to bring the benefits of a large centrally managed IT systems infrastructure to improve patient care and privacy. Andrew designed and implemented new IT infrastructure, undertaking a competitive request for proposals that led to the acquisition of a large mainframe to run the PICK based patient electronic record management system, and other large IT projects, such as Y2K and a relocation of many sub-standard server closets to a purpose built data center.

Jan 1996 – Jul 1997 · 1 yr 6 mos

• In this role, Andrew was initially employed as a Microsoft Windows system administrator and Macintosh help desk resource, but was quickly identified to work on major IT transformation projects, such as the roll out of Microsoft Exchange replacing a hodge podge of Lotus ccMail and MS Mail. Andrew rose to become a senior systems administrator for St Vincent's Hospital. One of Andrew's key achievements was getting St Vincent's on the Internet, and establishing the firewall, website and DMZ during a time when hospitals rarely had e-mail, let alone a web presence.

Mar 1995 – Nov 1995 · 8 mos

• Tutored Internet subjects to MBA students. Constructed the course syllabus and provided four hours a week contact with several classes.

Jan 1995 – Jan 1996 · 1 yr

• System administrator for the Business Faculty.

Dec 1994 – Jul 1995 · 7 mos

• Provided part time SQA services to Nemostar on a product called Flexifax.

Sep 1993 – Jul 1994 · 10 mos

• Worked on porting a Win16 program to MacOS.

Feb 1994 – Nov 1994 · 9 mos

• Provided web server and site design for an early outreach program for youths. Duties included obtaining funding from likely donor organizations.

Nov 1991 – Nov 1993 · 2 yrs

• Worked as a help desk drone for Mac products. Helped (or hindered as the case may be) with system administration.